Following the publication of the German DSK Cookie Consent Guidelines in April 2019, a federal court decision in May 2020 resulted in a change in cookie law enforcement in Germany. In addition, this decision triggered the introduction of a new law in Germany in December 2021.
Following the publication of the German DSK Cookie Consent Guidelines in April 2019, a federal court decision in May 2020 resulted in a change in cookie law enforcement in Germany. In addition, this decision triggered the introduction of a new law in Germany in December 2021.
Explore more privacy compliance insights and best practices
Private sector companies in Germany are subject to the jurisdiction of state data protection authorities (DPAs). Examples include Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit - HmbBfDI), Berlin DPA (Berliner Beauftragte für Datenschutz und Informationsfreiheit - BlnBDI), among others. The DSK (short for “Datenschutzkonferenz” in German) is an association of German state data protection authorities. The DSK deals with and comments on the data protection issues in Germany. It serves as a coordinating body and makes no binding decisions on the organizations.
The German DSK issued its cookie guidelines in April 2019. The DSK cookie consent guidelines were designed to ensure that the German Telemedia Act (Telemediengesetz, or the TMG) was applied to telemedia activities. An example of such activity was the use of website cookies for targeted advertising after the GDPR (DSGVO) came into effect. The German DSK cookie consent guidelines, in particular, clarified and improved the previous statement on using website cookies issued in April 2018.
The German Federal Court of Justice ruled in May 2020 that an opt-out mechanism for cookies is invalid under the German Telemedia Act. This decision stated unequivocally that the use of all non-essential cookies requires explicit cookie consent or opt-in from website users.
Essentially, the Federal Court of Justice directed the DPA to incorporate GDPR (DSGVO) requirements into future enforcement actions. The German Court of Justice's directive came after the European Union’s Court of Justice (CJEU) issued its ruling in the Planet 49 case.
Additionally, the German Court of Justice's decision broadened the scope of the German Data Protection Conference’s (DSK) guidelines for the use of website cookies, which were published on April 5, 2019.
On December 1, 2021, the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (TTDSG) entered into force in Germany, consolidating the German Telemedia Act and Telecommunication Act of 1996 as well as implementing the EU ePrivacy Directive's cookie consent requirements.
On December 22, 2021, the DSK issued its Guidance for Providers of Telemedia Services, which was primarily concerned with the “cookie provision” of the new German Telecommunication and Telemedia Privacy Act. The guidelines focus on the TTDSG's consent requirements and exceptions for cookie consent.
Other Data Protection Authorities that have issued cookie guidelines are as follows:
Spanish AEPD Cookie Guidelines: The Ultimate Guide
The Belgian Data Protection Authority
French CNIL Consent Guidelines
The Dutch DPA's Cookie Consent Guidelines
Greek DPA Cookie Consent Guidelines
With this in mind, let's look at what it takes to obtain GDPR and TTDSG-compliant cookie consent for your German website.
The EU's General Data Protection Regulation, which was adopted in May 2018, imposed strict regulations on how you collect and process data from EU citizens.
In this context, personal data refers to information that can be used to identify an individual, such as:
Based on this understanding, the GDPR's main principles are as follows:
Ensure you know all the categories of personal information you collect to avoid collecting unnecessary data.
You should implement relevant data retention measures for your users and remove them when they are no longer required.
Obtain clear and affirmative consent from your website visitors before placing cookies on their devices to collect personal information.
You should disclose the types of personal data you collect, why you collect it, and who receives the personal data you collect.
Check out these extra resources to learn more about what you need to do to be GDPR compliant.
https://gdpr-info.eu/issues/
https://techblog.bozho.net/gdpr-practical-guide-developers/
In layman’s terms, the ePrivacy Directive states that if you want to access your website users' personal information by placing cookies on their device, you must first obtain their consent.
Cookie consent is considered validly obtained under the ePrivacy Directive if it is:
The only exception to this rule is when access to such information is strictly necessary, such as when providing an Electronic Communications Service (ECS) or an Information Society Service (ISS).
The main difficulty in enforcing EU Cookie Law's consent requirements is that it has been interpreted as a directive for having a simple consent banner on your website by most DPAs across Europe.
Similarly, the German Data Protection Conference, the umbrella body of state DPAs, was not enforcing this section of the ePrivacy Directive.
This is because regulators believed that the requirements outlined in this clause were already included in the German Telemedia Act.
All of this changed in May 2020, following a ruling by the European Court of Justice’s (CJEU) in the case involving Planet 49’s use of advertising cookies, after the German Court of Justice requested clarification from the EU’s top court.
Planet 49, a German company, launched an online competition in 2013 that required participants to provide their name, address, and postcode in order to participate.
Additionally, would-be participants were asked to provide consent to two main requirements;
While the cookie banner's box for marketing communications was left blank, the second box for analytic and marketing cookies was pre-checked.
Because of this, participant complaints compelled the Federation of German Consumer Organizations to sue Planet 49.
The German Court of Justice referred the case to the CJEU for legal interpretation and guidance.
The CJEU issued its decision in May 2020, concluding that Planet 49’s practices violated cookie consent requirements under both the GDPR (DSGVO) and the ePrivacy Directive.
The ePrivacy Directive, as previously stated, states that consent is only valid when it is freely given, specific, and provides a clear indication of the user’s wishes.
It's also worth noting that, according to the EU Cookie Law, a checkbox is a legal way to obtain cookie consent.
The CJEU's primary findings in this case are as follows:
The ePrivacy Directive was not fully implemented in Germany because some of its requirements were considered similar to the German Telemedia Act.
This means that the Planet 49 decision did not completely change the law. Instead, it had one significant implication:
For the sake of clarity, this means:
Our blog gives you a detailed breakdown of the CJEU’s ruling in the Planet 49 Case. Read it here: https://secureprivacy.ai/blog/the-planet-49-judgement-key-takeaways
The TTDSG is the result of the German Federal Court of Justice's reaction to the validity of consent when placing cookies on end-user devices. The law incorporates Article 5(3) of the EU ePrivacy Directive into Section 25 of the TTDSG, almost word by word. In fact, this was one of the motivations behind the creation of the TTDSG.
According to this section of the TTDSG, the storage of information on end users’ devices or access to information already stored on such devices is only permitted with the end user's consent. There are some exceptions, which are as follows:
The DSK issued its guidelines in December 2021, shortly after the TTDSG went into effect, and they primarily addressed Section 25 of the TTDSG, which implements the cookie consent requirements of the EU ePrivacy Directive.
You must do the following to comply with the German DSK cookie consent guidelines:
Non-essential cookies, such as those set by Google Analytics on your website, must provide a way for your users to opt-in to the tracking of their personal information.
Cookie banners with pre-checked boxes for marketing/advertising cookies and terms such as “by using this website, you agree to our use of cookies” no longer constitute valid consent under German DSK cookie consent guidelines.
In addition to the essential cookies required for your website to function properly, you must allow users to opt-out of tracking cookies in accordance with the German DSK cookie consent guidelines.
The German DSK cookie consent guidelines state that you do not need to obtain user consent to deploy cookies that do not contain personally identifiable information.
Similarly, you are not required to provide users with the ability to opt-out of the deployment of these cookies.
If you only use essential cookies, you should avoid using cookie consent mechanisms (such as a cookie banner) to obtain end-user consent, as this would unnecessarily interfere with the service.
In your cookie and privacy policies, disclose all of the types of cookies you use on your website, as well as the purpose of each.
Tracking cookies are frequently used by Facebook, YouTube, and other third-party widgets on your website. You need to either disable their ability to collect personal data from your users or avoid them entirely.
Learn more about tracking cookies and GDPR compliance here:
https://techblog.bozho.net/tracking-cookies-gdpr/
https://secureprivacy.ai/blog/gdpr-cookie-consent
While the compliance of each cookie banner must be assessed on a case-by-case basis, there are a number of requirements that cookie banners must meet in order to be compliant with German authorities. You can read more on GDPR cookie consent examples and GDPR Cookie Guidelines.
This cookie banner is non-compliant since:
- It does not provide an option to reject cookies
- It does not provide an option for separate consent for each cookie category.
- It does not contain any link or button to explicit cookie policy/declaration.
(Source: www.fcbayern.com)
This cookie banner is likely compliant with since:
- It provides for an option to refuse cookies
- It provides for an option to consent or reject separate cookie categories
- It contains a link to the cookie policy
- It contains a link to the cookie settings where users can get detailed information about each cookie category.
If you are found to be violating the German DSK cookie consent guidelines, you will face GDPR and TTDSG enforcement actions. When it comes to placing cookies on users' devices and accessing information on users' devices, the TTDSG takes precedence over the GDPR. As a result, failure to comply with the TTDSG's cookie consent requirements carries the statutory penalty. In contrast, further processing of information collected through cookies is subject to the GDPR and thus to the penalties under the GDPR.
Notably, the monetary penalty for intentional and unintentional violations of Section 25 of the TTDSG is set at 10,000 EUR. This is far less severe than the administrative penalties outlined in the GDPR. However, any violation which involves subsequent processing of data collected through cookies is subject to GDPR fines.
To comply with German DSK cookie guidelines, you need to ensure that you comply with the following checklist:
▢ Have a cookie consent banner to collect users’ consent to use cookies
▢ Do not place cookies before obtaining consent, except for essential cookies
▢ Do not use cookie walls
▢ Provide explicit information about cookie use and communicate the purposes; include a link to your Privacy Policy and/or Cookie Policy
▢ Do not use pre-ticked boxes
▢ Allow the user to reject cookies, don’t load any cookies before the user decides to use cookies
▢ Collect consent for each category of processing
▢ Provide “accept” and “reject” options in the same manner and with equal prominence.
▢ Do not rely on silence or inactivity, such as browsing the website, to obtain consent
▢ Avoid using third-party widgets or disable their ability to collect personal data from your users
Secure Privacy is a powerful yet user-friendly solution for achieving compliance with the German DSK cookie consent guidelines.
With the Secure Privacy’s GDPR compliance tool, you get:
Easily customizable and stylish cookie consent banners to help you manage consents from your users and allow them to opt-in and opt-out the different types of cookies you have on your website in accordance with the ePrivacy Directive and GDPR requirements
Unique cross-domain consent capability that allows your users to manage their cookie preferences across multiple domains in a single step
A powerful cookie policy generator that allows you to automatically customize your cookie declarations and disclosures to your users.
Advanced monthly website scanning to ensure you are aware of all cookies on your website, the type of personal information they collect, their provenance, and the recipients of the data collected.
Prior consent tool to ensure that cookies are not deployed before users consent to the collection and processing of their data.
Real-time logs and consent tracking, so you can maintain recoverable records of your data subjects' consent statuses in case the German DSK requires them.
70+ language support, which enables you to set your cookie consent banner in the language of your target users
Precise geolocation capability that allows you to show your cookie consent banner to German users only.
A future-proof solution with unrivaled agility in responding to evolving cookie consent compliance regulatory changes.
Check out our video and learn more about Secure Privacy’s Top 6 Enterprise Features; https://www.youtube.com/watch?v=iULVRao0UcY&list=LL&index=5
If you want our data protection expert to perform a quick ‘check-up’ of your website, cookie consent banner, or cookie policy, book a call with one of our experts today.
Schedule a call to learn more
You might also be interested in:
Read our detailed on how to make your website compliant with the GDPR: https://secureprivacy.ai/solution/gdpr
German DSK Official Website
German DSK Cookie Consent Guidelines
German DSK Guidance for Providers of Telemedia Services
You may also want to check out these other Cookie Consent Guidelines from other EU DPA’s
French CNIL Cookie Consent Guidelines
Irish Data Protection Commission Cookie Consent Guidance
Belgian DPA’s Cookie Consent Guidance
The Spanish AEPD Cookie Consent Guidelines
The Swedish Datainpsektionen’s Cookie Consent Guidelines
UK ICO’s Cookie Consent Guidance
Dutch DPA Cookie Consent Guidelines
Greek DPA Cookie Consent Guidelines
Czech Cookie Law
